← All terms
Phishing-Resistant MFA

What is Phishing-Resistant MFA?

Phishing-resistant MFA uses cryptographic, origin-bound authentication such as FIDO2 passkeys, so credentials cannot be captured or replayed by fake sites.

Last updated: 15 July 2026

How phishing-resistant MFA works

Traditional MFA factors, one-time codes from apps or SMS and push approvals, share a weakness: the user can be tricked into handing the proof to the wrong party. A convincing fake login page relays the password and the code to the real site in seconds, and a flood of push notifications eventually gets an accidental approval. The factor is real; the destination is not verified.

Phishing-resistant MFA removes the human from that verification. With FIDO2 and WebAuthn, the authenticator holds a private key and signs a challenge that is cryptographically bound to the website origin. If the user is on a look-alike domain, the signature simply does not match and authentication fails, no matter how convinced the user is. There is no code to read out, no prompt to approve blindly and no shared secret stored on the server to steal. Certificate-based smart cards achieve the same property through mutual TLS.

Why it matters

Phishing has industrialized. Kits sold as a service place a transparent proxy between the victim and the real site, capturing passwords, one-time codes and the resulting session cookie in real time, which defeats most conventional MFA without any sophistication from the operator. MFA fatigue attacks have compromised well-defended organizations simply by annoying one employee at the right moment.

This shift is reflected in guidance and regulation: security agencies and frameworks increasingly name phishing-resistant MFA explicitly, requiring it for administrators, remote access and high-impact systems. For organizations, the practical difference is stark: with origin-bound factors, the entire class of proxy phishing, code-relay and prompt-bombing attacks stops working, rather than merely becoming harder.

Adopting phishing-resistant MFA

Most organizations phase it in. Administrators, finance roles and remote access come first, since those accounts are targeted hardest. Passkeys make the rollout easier than older hardware-token programs: platform authenticators built into phones and laptops mean many users need no extra device, while synced passkeys reduce lockout risk when hardware changes.

Two details decide real-world resistance. First, fallback methods: if a user can still fall back to SMS codes, an attacker will simply trigger that path, so weaker factors must be phased out or tightly restricted. Second, registration and recovery flows must be as protected as login itself, since attackers increasingly attack enrollment instead. Monosign supports this transition by offering FIDO2 passkeys alongside classic MFA with adaptive step-up, letting teams migrate group by group without a hard cutover.

Frequently asked questions

Which MFA methods count as phishing-resistant?
FIDO2/WebAuthn authenticators, including passkeys and hardware security keys, and PKI-based smart card authentication. Methods that transmit a code or approval the user can be tricked into surrendering, such as SMS and app-generated one-time codes and standard push notifications, are not phishing-resistant.
Are passkeys safe if my phone is stolen?
Using a passkey requires unlocking the device and passing its biometric or PIN check, so a stolen phone alone does not expose accounts. Passkeys also cannot be extracted and reused like passwords. The remaining risk concentrates in account recovery, which should be protected as strictly as login.
Do we need to replace all existing MFA at once?
No. A phased approach works well: enforce phishing-resistant factors for administrators and high-risk access first, enroll the wider workforce over time, and progressively retire weaker fallbacks. The security gain arrives with each group migrated, and users often find passkeys faster than typing codes.